Juniper产品介绍2Copyright 2009 Juniper Networks, Inc. www.juniper.net 议事日程 Juniper公司介绍 公司介绍 公司产品线概述 Juniper安全技术 安全产品介绍4块SPC;2块NPC固定接口(SCB) 8-10/100/1000 + 4-SFP模块化接口（IOC） 16-10/100/1000;16-SFP;2-XFP多核架构2电源冗余(N+1)性能 防火墙吞吐率 (大包) 10 /20 Gbps并发连接数 2.25M新建连接数 17.5WModelDescriptionSRX3400BASE-ACSRX 3400 Chassis, Midplane, Fan, RE, SFB-12GE, AC PEM - no power cord - no SPC - no NPCSRX3400BASE-DCSRX 3400 Chassis, Midplane, Fan, RE, SFB-12GE, DC PEM - no SPC - no NPC*最少需配1SPC,1NPCFrontRear11Copyright 2009 Juniper Networks, Inc. www.juniper.net SRX3600 机箱式设计(5U) 12个插槽 (前6后6) 最大7块IOC;7块SPC;3块NPC固定接口(SCB) 8-10/100/1000 + 4-SFP模块化接口 16-10/100/1000;16-SFP;2-XFP多核架构4电源冗余(N+1)性能 防火墙吞吐率 (大包) 10/20/30 Gbps并发连接数 2.25M新建连接数 17.5WModelDescriptionSRX3600BASE-ACSRX 3600 Chassis, Midplane, Fan, RE, SFB-12GE, 2xAC PEM - no power cords - no SPC - no NPCSRX3600BASE-DCSRX 3600 Chassis, Midplane, Fan, RE, SFB-12GE, 2xDC PEM - no SPC - no NPC*最少需配1SPC,1NFrontRear12Copyright 2009 Juniper Networks, Inc. www.juniper.net SRX5600 水平式机箱(8U)8个插槽 最多6块SPC / IOC 最多2块SCB（冗余）模块化接口 40-SFP; 4-10Gig多核架构4电源冗余(N+n/N+1)性能 防火墙吞吐率 (大包) 60 Gbps并发连接数 9M新建连接数 350KModelDescriptionSRX5600BASE-ACSRX5600 chassis, includes RE, SCB, 2 AC power supplies. Country specific power cords purchased separately, see below.SRX5600BASE-DCSRX5600 chassis, includes RE, SCB, 2 DC power supplies*最少需配1SPC13Copyright 2009 Juniper Networks, Inc. www.juniper.net SRX5800 垂直式机箱(16U)14个插槽 最多11块SPC / IOC 最多3块SCB（冗余）模块化接口 40-SFP; 4-10Gig多核架构4电源冗余(N+n/N+1)性能 防火墙吞吐率 (大包) 120 Gbps并发连接数 10M新建连接数 350KModelDescriptionSRX5800BASE-ACSRX5800 chassis, includes RE, 2xSCB, 3 AC power supplies. Country specific power cords purchased separately, see below.SRX5800BASE-DCSRX5800 chassis, includes RE, 2xSCB, 2 DC power supplies*最少需配1SPC14Copyright 2009 Juniper Networks, Inc. www.juniper.net IOC 2x10GE矩阵面板 (SFB)路由引擎 (RE)Fan tray doorAir IntakeServices Processing Card (SPC)IOC 16xCopperIOC 16xSFPFront Slot guideRear Slot guideServices Processing Cards (SPC)Network Processing Cards (NPC) or SPCs 冗余矩阵 (SRX3600 only)组件一览15Copyright 2009 Juniper Networks, Inc. www.juniper.net 1. 数据包从入接口进入送往NP,NP 查询session，不匹配FPGASPUSPC #1FPGACPSPUFPGASWI IOC #YFPGANPC #SNPFPGAFabric IOC domainFPGASWI IOC #XFPGANPC #RNPFPGASPC #NFabric IOC domainFabric SPC domain3. CP 选择 SPU, 让不同的 SPU 进行负 载均衡，并创建session4. 数据包转发到出接口的NP队列，做 QOS后转发给出接口2. NP 把包发给CP如何做到内部的负载均衡？16Copyright 2009 Juniper Networks, Inc. www.juniper.net SRX对DDos的防护大部分Screen特性均可由NPU实现,少数Screen特性由SPU实现 ，可实现对 DDos分布式抵御机制！On NPU: block-frag, fin-no-ack, icmp-fragment, icmp-id, icmp-large, ip-bad-option, ip-filter- src, ip-loose-src-route, ip-record-route, ip-security-opt, ip-stream-opt, ip-strict-src- route, ip-timestamp-opt, land, ping-death, syn-fin, syn-frag, tcp-no-flag, unknown- protocol, winnuke, icmp-flood, udp-flood, syn-flood destination-threshold / source- thresholdOn SPU: teardrop, ip-spoofing, syn-ack-ack-proxy, syn-flood (syn-cookie/syn-proxy)17Copyright 2009 Juniper Networks, Inc. www.juniper.net SRX对SYSlog的处理支持两种格式的输出 传统的 syslog格式 (rfc3164 ,NOT infrastructure)Structured syslog format (rfc5424, 2009 Mar, which obsoletes rfc3164) 目前NSM只支持传统的syslog分析，STRM只支持结构化syslog分析将Events 和 Traffic Logs分离处理 Events are system scope and/or may require operator action Logs are info generated as a result of dataplane actions and are therefore already handledTraffic log独立于设备存储，不占用设备的存储空间和内存buffer数据平面的Events依然会被送到 RE的eventd处理数据平面的Traffic logs 直接通过数据平面处理，不会被RE处理18Copyright 2009 Juniper Networks, Inc. www.juniper.net SRX的优势1、可按需扩展的动态可适应型体系架构2、硬件设计的高可靠性19Copyright 2009 Juniper Networks, Inc. www.juniper.net 可按需扩展的动态可适应型体系架构客户的业务流量增长速度安全设备会最先成为网络中的性能瓶颈点如何适应快速增长的业务流量，如何长远的规划网络架构问题： 举例：今年5G, 三年内达到10G，五年内达到20G，三年后，如何适应10G的业务压力？客户的答案： 三年后 1. 换更高的设备 2. 流量分流，改变网络架构 3 .买多台设备，买负载均衡业务流量飞速增长TimeTODAYFUTURESecurity Requirements FW, IPS back-to- front) Versatile mounting optionsTwinax/DAC support for ToR server access10GbE 汇聚交换机Building/campus distribution and core虚拟机箱 128G Virtual Chassis compatible with EX4200High-speed optical Virtual Chassis所有端口线速转发冗余电源和风扇Junos operating systemL2 and L3 in base Roadmap (not available at FRS)Model# PortsPort TypeUplinks Air Flow EX4500-40F- FB401/10GbE 8xSFP+Front-to- backEX4500-40F- BF401/10GbE 8xSFP+Back-to- front71Copyright 2009 Juniper Networks, Inc. www.juniper.net EX4500 SWITCH: 前后面板一览EX4500 Front ViewEX4500 Rear ViewUSBOptional 4x GbE/10GbE uplink module40 fixed GbE/10GbE SFP/SFP+ portsRedundant, hot swappable, load-sharing power suppliesLCDFixed form factor 2RU (3.4in H x 17.5in W x 21in D) Modular components Power supplies, fan tray Optional uplinks Virtual Chassis module Junos operating system Performance Wire-rate, non-blocking Local switching Latency 2.7usec: Single PFE 4.7usec: Two PFE Scaling 24,000 MAC 10,000 IPv4 routes 4096 VLANs Environmental 1